A Connextions employee used Social Security numbers from a number of other organizations for criminal activity. At least four members of Anthem Blue Cross and Blue Shield were affected by the criminal activity. The breach was reported on HHS as affecting 4,814 patients, but more were affected.

Information Source:
HHS via PHIPrivacy.net

records from this breach used in our total:
6,000

April 10, 2013

Schnuck Markets Inc.St. Louis, Missouri

BSR

HACK

Unknown

A lawsuit was filed against Schnucks Markets Inc. after customers learned that Schnucks failed to warn customers about a data breach within two weeks. On March 15, Schnucks learned that a portion of their loyalty cards were affected, but waited until March 30 to send a press release. Customer payment card numbers and expiration dates were exposed through a magnetic strip swiping security breach. No customer names were exposed.

UPDATE (04/15/2013): The breach affected about 2.4 million customer debit and credit cards at 79 Schnucks locations. Payment cardholders' contact and identifying information were not exposed. Customers who visited a Schnucks between December of 2012 and March 29, 2013 may have been affected.

UPDATE (05/24/2013): A class action lawsuit was filed against Schnuck Markets in early May. Schnuck Markets claims that the the lawsuit belongs in federal court because of the case's scope and damages. The lawsuit sought damages from Schnucks for time and effort that affected individuals had to put into monitoring and managing compromised credit card information. The lawsuit also alleges Schnucks of willful and wanton neglect, a charge for which punitive damages are available under Illinois law. However Schnucks states that the "time and effort" claims for Illinois alone easily exceed the $5 million threshold for federal consideration.

UPDATE (06/21/2013): A new estimate from Schnucks states that 500,000 unique credit or debit cards may have been involved.

UPDATE (07/11/2013): After a review, the Missouri Attorney General's office has stated that Schnuck Markets did not violate state data security law.

UPDATE (08/31/2013): Liberty Mutual Insurance Co. is suing Schnuck Markets Inc. Liberty Mutual claims that it should not be held liable for eight lawsuits filed against Schnucks.

Information Source:
Media

records from this breach used in our total:
0

April 11, 2013

Chapman UniversityOrange, California

EDU

DISC

Unknown

Sensitive documents could have been viewed electronically by authenticated users of the on-campus network. The issue was discovered on February 27. Names, Social Security numbers, student identification numbers, and dates of birth may have been viewed by people who could log into Chapman's system, but shouldn't have been able to access the information.

Information Source:
California Attorney General

records from this breach used in our total:
0

April 12, 2013

Chapman UniversityOrange, California

EDU

DISC

Unknown

An administrative error caused the personal information of some students to be exposed online. The issue was discovered on February 27. Authenticated users of Chapman's on-campus network could have viewed names, Social Security numbers, student identification numbers, and dates of birth. The documents were blocked from access by unauthorized users once the breach was discovered.

Information Source:
California Attorney General

records from this breach used in our total:
0

April 12, 2013

PentagonWashington, District Of Columbia

GOV

UNKN

Unknown

Lawyers working with Guantanamo Bay detainees had to pause their work after being told to stop using the Pentagon's computer system. An unspecified issue left over 500,000 emails unsafe to access or deleted from a Pentagon common drive. The breach left defense files unsecured and it may have been possible for prosecutors to view confidential defense emails.

Information Source:
Media

records from this breach used in our total:
0

April 15, 2013

WawaBurlington, New Jersey

BSF

CARD

Unknown

Customers who shopped at a Wawa on Salem Road in Burlington, New Jersey noticed fraudulent purchases on their credit cards. Investigators were able to trace the fraud to four people and arrest them. The four men were charged with credit card theft, credit card fraud, identity theft, and having electronic devices for criminal use. More victims are expected to be found.

Information Source:
Media

records from this breach used in our total:
0

April 16, 2013

Schneck Medical CenterSeymour, Indiana

MED

DISC

3,000 (no SSNs or financial information reported)

A Schneck Medical Center employee gave a presentation that was later placed online. People who searched through the files from the presentation could find the names of 3,000 Schneck Medical Center patients. The presentation was removed from online and Google removed all cached information from the Internet.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
0

April 16, 2013

Iberdola USA, Central Maine PowerAugusta, Maine

BSO

HACK

5,100 (No SSNs or financial information reported)

A hack of Iberdrola USA's recruitment website may have exposed the information of anyone who applied for a job at Central Maine Power or any of its sister companies since January 2007. Rochester Gas and Electric Corp and New York State Electric and Gas Corp. were also affected.

Information Source:
Media

records from this breach used in our total:
0

April 17, 2013

Erlanger Health System, Erlanger HospitalChattanooga, Tennessee

MED

PHYS

87

Erlanger Health System sent notes to 87 families and apologized for an incident that left the patient records of children exposed. The records contained names, Social Security numbers, phone numbers, and dianosis information. Erlanger has not been made aware of the records being used in an unauthorized manner.

The home theft of any employee's laptop and external drive resulted in the exposure of patient information. The theft occurred sometime between March 18 and March 25; other items were stolen besides the laptop and hard drive. Neither the laptop nor the hard drive were encrypted. Patients who visited either Cenpatico or its contractor ATS between 2011 and 2013 may have had their names, dates of birth, and treatment plans exposed.

UPDATE (04/17/2013): More than 3,000 patients were affected by the breach.

Two patients ran a google search of their names and were able to find their medical information online. Doctors' reports with medications, medical treatments, lab information, future and past treatment plans, physical examination information, and lifestyle information could be downloaded by anyone who found the information online. The documents were from November 2012 through January 2013 and discovered online in mid-March. Portal Healthcare secured the sensitive information on its servers on March 14. A lawsuit was filed against Glens Falls Hospital, Portal Healthcare Solutions LLC, and Carpathia Hosting in mid-April for patient privacy violations.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
0

April 23, 2013

HostgatorHouston, Texas

BSO

INSD

Unknown

An employee was found to have installed backdoors on more than 2,700 company servers. The issue was discovered the day after the dishonest employee was dismissed. He worked for Hostgator from September 2011 to February 15, 2012. The dishonest employee was arrested and charged with breach of computer security.

Information Source:
Media

records from this breach used in our total:
0

April 23, 2013

Kmart, SearsLittle Rock, Arkansas

BSR

PORT

788 ("a few hundred" SSNs involved)

An assistant manager was forced to open a Kmart safe and give a thief access to $6,000 in cash and an unencrypted backup disk with a day's worth of customer information. The backup disk contained names, addresses, dates of birth, prescription numbers, prescription providers, insurance cardholder IDs and drug names. The armed robbery occurred on March 17.

Information Source:
Media

records from this breach used in our total:
200

April 23, 2013

Macy'sLafayette, Indiana

BSR

DISC

Unknown

A man guessed or accessed the Social Security numbers of Macy's customers in order to exploit a Macy's policy for the purpose of making fraudulent purchases. He then created ID cards that paired his picture with the customer information. A Macy's policy allowed him to charge purchases to the accounts of other Macy's customers by using their Social Security numbers and showing his falsified IDs.

Information Source:
Media

records from this breach used in our total:
0

April 23, 2013

City of MonroevilleMonroeville, Pennsylvania

MED

DISC

Unknown

A number of inappropriate security practices may have exposed the information of people who called Monroeville's 911 dispatch center, police department, fire department, or EMS department in 2012 or 2013. Monroeville is being investigated for possible violations of federal health privacy laws. An August 2012 complaint to the U.S. Department of Health and Human Services' Office for Civil Rights stated that protected health information may have been given to a former police chief via email and that weak and poorly managed usernames and passwords were used to access a database of 911 callers' medical information.

UPDATE (07/18/2013): Monroeville 911 records from August 2010 through February 2013 were available to volunteer firefighters and former and inacitive emergency responders. There was no protocol in place for removing the former personnel from the list of people who received 911 dispatch data.

Information Source:
Media

records from this breach used in our total:
0

April 23, 2013

OneWest BankPasadena, California

BSF

HACK

Unknown

A OneWest service provider suffered an unauthorized network intrusion during the first quarter of 2011. OneWest client names, Social Security numbers, addresses, dates of birth, phone numbers, driver's license numbers, and passport numbers may have been exposed.

Information Source:
California Attorney General

records from this breach used in our total:
0

April 24, 2013

City of BerkeleyBerkeley, California

GOV

DISC

11,000

A media group who regularly collects public employee salary and benefit information released Social Security numbers after they were mistakenly included in a file that the City of Berkeley provided. The information was sent by Berkeley in March and the mistake was discovered in early April. Around 2,000 active staff members and 9,000 retirees were affected. mistakenly released the Social Security numbers of the employees as well.

Information Source:
Media

records from this breach used in our total:
11,000

April 25, 2013

Child and Family Services of New HampshireManchester, New Hampshire

MED

PHYS

23 (No SSNs or financial information exposed)

Someone took 23 files from a secure area in the Child and Family Services of New Hampshire main office sometime between March 15 and March 18. The breach was discovered on March 19. The files contained client names, dates of birth, addresses, Medicaid numbers, notes from home visits, and other health information related to home visits.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
0

April 26, 2013

LivingSocialWashington, District Of Columbia

BSO

HACK

29 million (no SSNs or financial information reported)

As many as 50 million LivingSocial members may have had their names, email addresses, dates of birth, and encrypted passwords exposed by a cyber attack. Customer credit card information was not compromised. Customers were encouraged to change their passwords on any other sites on which they used the same or similar passwords.

UPDATE (05/03/2013): As many as 50 million acounts may have been affected. It is estimated that 29 million people used LivingSocial and many had multiple accounts.

Information Source:
Media

records from this breach used in our total:
0

April 26, 2013

Life Flight (IHC Health Services Inc.)Aurora, Oregon

MED

DISC

842 (107)

An administrative error caused the information of patients flown by Life Flight helicopters to be available online. Patients flown during April, May, and June of 2004 may have had unspecified information exposed. It was confirmed that 107 patients had their Social Security numbers exposed. It is unclear how long the information was available and if patients flown during additional months may have been affected. The information was moved to a secure server to address the breach.

UPDATE (05/17/2013): The sensitive information was available online as early as October 12, 2009.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
107

April 26, 2013

Upstate University HospitalSyracuse, New York

MED

PORT

283 (No SSNs or financial information reported)

A portable electronic device was stolen from Upstate University Hospital on March 30 or 31. It contained the names, hospital medical record numbers, dates of birth, and diagnosis information of patients.

An employee's car was the target of an April 1 break-in. A company laptop and 10 patient files were taken during the car theft. The paper files were recovered, but the laptop also contained patient information. Names, Social Security numbers, addresses, telephone numbers, health insurance information, names of providers, and the reasons for patients' appointments may have been included in emails stored on the laptop.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
0

April 29, 2013

Hope HospiceNew Braunfels, Texas

MED

DISC

818 (No SSNs reported)

Those with questions may call CEO Debra Houser-Bruchmiller's office at 800-499-7501.

An employee used an unsecured email to send sensitive patient information. Two separate administrative violations occurred on December 27, 2012 and on February 22, 2013. The issue was discovered on February 25. The information was secured on February 28, 2013. Patient names, referral sources, Hospice admission and discharge dates, the names of insurance providers, and chart numbers may have been exposed.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
0

April 29, 2013

Gomez Gasoline and AutomotiveWatsonville, California

BSR

CARD

50

Those with information or questions about the investigation may call 831-768-3350 or the anonymous tip line at 831-768-3544.

More than 50 reports of credit card fraud have been traced to people who were customers at Gomez Gasoline and Automotive. Police suspect that a credit-card skimming device was placed on one or more gas pumps. The skimming devices have been spotted at other gas stations.

Information Source:
Media

records from this breach used in our total:
50

May 1, 2013

U.S. Department of LaborWashington, District Of Columbia

GOV

HACK

Unknown

The Department of Labor's website was found to have been infected with malware that spreads to visitors using the web browser Internet Explorer. Microsoft had already released a patch to address the Internet Explorer vulnerability and the malware targets users who have not taken advantage of the patch.

Information Source:
Media

records from this breach used in our total:
0

May 1, 2013

U.S. Army Corps of Engineers' National Inventory of DamsWashington, District Of Columbia

GOV

HACK

Unknown

Users of the National Inventory of Dams received notification that their information was reset after a hack may have compromised usernames and passwords. Hackers obtained non-public information of around 8,100 major dams in the United States by breaching the database. The information included dam vulnerabilities and could be used by cyber terrorists.

Patient records were found on the floor at an abandoned hospital building named Waterside. The woman who discovered them was a former Lakeshore employee and she alerted a local news station. Names, Social Security information, case numbers, dates of birth, and other patient information were exposed.

UPDATE (06/27/2013): At least 20 boxes of patient records were found in an abandoned building at the Clover Bottom Campus of the Middle Tennessee Mental Health Institute. The records dated back to the 1980's and had been reviewed to confirm which had sensitive information that needed to be destroyed.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
0

May 2, 2013

Reputations.comRedwood, California

BSO

HACK

Unknowm

Reputation.com experienced a hack that exposed customer names, email addresses, mailing addresses, date of birth, and employment information. Additionally, some customers had their encrypted passwords stolen. Reputation.com immediately reset all customer passwords after learning about the breach. Customers are encouraged to change their passwords on other sites if they reused their Reputation.com password.

Information Source:
Media

records from this breach used in our total:
0

May 2, 2013

Spellman High Voltage Electronics CorporationValhalla, New York

BSR

INSD

Unknown

A disgruntled employee announced his resignation and then was caught copying files from his computer to a flash drive. Employees at Spellman began experiencing transaction and intranet disruptions after the disgruntled employee left even though his access to company servers was disabled after discovery of his suspicious activities. The events began to occur sometime around January of 2012. An investigation of the events led to the arrest of the former employee and federal prosecutors claim that he caused enough mayhem to cost Spellman over $90,000 by using his knowledge of Spellman's computer system and stolen passwords. The former employee pleaded not guilty.

Information Source:
Media

records from this breach used in our total:
0

May 3, 2013

University of Rochester Medical CenterRochester, New York

MED

PORT

537 (No SSNs or financial information exposed)

The loss of an unencrypted flash drive exposed sensitive patient information. The flash drive contained name, date of birth, weight, gender, telephone number, URMC internal medical record number, orthopaedic physician name, date of service, diagnosis, diagnostic study, procedure, and complications. The flash drive is believed to have been destroyed after ending up in the medical center laundry. It was not found.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
0

May 3, 2013

Schoenbar Middle SchoolKetchikan, Alaska

EDU

HACK

Unknown

A ring of middle school students were able to gain access to and control of more than 300 computers by phishing for teacher administrative codes. At least 18 students were involved. The breach happened when students used software to imitate a legitimate software update on their computers. The students then asked teachers to enter administrative account information so that they could complete the software updates or installations. The phony software then stored teacher credentials. The students were then able to control 300 laptops belonging to other students by using the administrative credentials. The school believes that servers and sensitive information were not exposed. The breach occurred around Friday, April 26 and was discovered on Monday, April 29 when students noticed that other students appeared to be controlling student laptops remotely and reported the issue.

Information Source:
California Attorney General

records from this breach used in our total:
0

May 6, 2013

California Department of Public Health (CDPH)Sacramento, California

GOV

PHYS

2,000

Those with questions may call (855) 737-1796.

A reel containing images of 2,000 State of California Birth Records from May through September of 1974 was found in a publicly accessible location. Names, Social Security numbers, addresses, and certain types of medical information were in the birth record images. People in Santa Clara, Santa Cruz, Shasta, Siskiyou, Solano, Sonoma, Stanislaus, Sutter, or Tehama counties and who were born or had a child born in 1974 between May and September were affected.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
2,000

May 7, 2013

Tomren Wealth ManagementSan Ramon, California

BSF

HACK

Unknown

A server with client information was accessed by an unauthorized outside party between February 21 and March 6, 2013. The attack was an attempt to use the server for spam emailing. Client names, Social Security numbers, driver's license information, and FSC broker account numbers may have been accessed.

Information Source:
California Attorney General

records from this breach used in our total:
0

May 7, 2013

Raleigh Orthopaedic ClinicRaleigh, North Carolina

MED

PHYS

17,300

Raleigh Orthopaedic Clinic contracted with a vendor in order to have information from X-ray films transferred into electronic format. The X-ray film was actually sold by the unnamed vendor and melted harvest for silver by a recycling company in Ohio. Patient names and dates of birth were on the film. The Clinic does not believe that personally identifiable information was on the film.

Information Source:
Media

records from this breach used in our total:
0

May 7, 2013

MapcoBrentwood, Tennessee

BSR

CARD

Unknown

Customers who made purchases between March 19-25, April 14-15, or April 20-21 may have had their credit or debit card information compromised. Tennessee and six other Southern states may have been affected by the breach. It is not clear if the payment card information was taken inside the stores or outside of the stores at gas pumps.

UPDATE (06/10/2013): The accounts of consumers who used payment cards at 373 Mapco Express stores may have been affected. Two additional locations in Tennessee were affected on April 14 and 15. There are unnamed stores that may have been affected on April 20 and 21.

UPDATE (07/08/2013): Three lawsuits have been filed as a result of data stolen in three MAPCO breaches that occurred in March, April, and June.

Information Source:
Media

records from this breach used in our total:
0

May 8, 2013

Name.comDenver, Colorado

BSO

HACK

Unknown

Hackers accessed Name.com servers and may have obtained usernames, email addresses, passwords, and credit card account information. Customer passwords and credit card information were encrypted. Customers were notified of the breach and received an email asking them to reset their passwords.

Hackers exploited an Adobe vulnerability and used it to access Linode Manager web servers. One of Linode's web servers, parts of their source code, and their database were accessed. No other components of the Linode infrastructure were accessed by the hackers. Encrypted customer credit card numbers and passwords were obtained. The group HTP claimed responsibility for the hack.

Information Source:
Media

records from this breach used in our total:
0

May 8, 2013

Department of Family and Support Services (DFSS)Chicago, Illinois

GOV

STAT

Unknown

Nearly $41,000 in computer equipment was reported stolen from the Department of Family Support Services on May 7. The Division on Domestic Violence and a satellite senior center share the building where the theft occurred. The types of information that may have been on the device or devices were not reported.

A breach of the Administrative Office of the Courts' server resulted in the exposure of one million driver's license numbers between fall of 2012 and February of 2013. It was confirmed that at least 94 people had their Social Security numbers accessed. Up to 160,000 Social Security numbers could have been accessed.

In April the court was able to confirm that public records and confidential information were exposed. People who were booked in a city or county jail within the state of Washington between September 2011 and December 2012 may have had their name and Social Security number accessed. Anyone who received a DUI citation in Washington state between 1989 and 2011, had a superior court criminal case in Washington state that was filed against them or resolved between 2011 and 2012, or had a traffic case in Washington filed or resolved in a district or municipal court between 2011 and 2012 may have had their names and driver's license numbers exposed.

Information Source:
Media

records from this breach used in our total:
160,000

May 9, 2013

Lutheran Social Services of South Central PennsylvaniaYork, Pennsylvania

MED

HACK

7,300

Lutheran Social Services became aware of a malware program that was on its software system. Resident names, Social Security numbers, dates of birth, Medicare numbers, medical diagnosis codes, payer names, and health insurance numbers may have been exposed. The breach was discovered in March and Lutheran Social Services had not involved investigators or police as of May 9.

Information Source:
Media

records from this breach used in our total:
7,300

May 10, 2013

Indiana University Health ArnettLafayette, Indiana

MED

PORT

10,300 (No SSNs reported)

The theft of an employee's unencrypted laptop resulted in the exposure of patient information. The laptop was stolen from an employee's car on April 9 and contained email records. Patient names, medical record numbers, dates of birth, physician names, diagnoses, and dates of service may have been exposed.

Information Source:
Media

records from this breach used in our total:
0

May 10, 2013

PHH CorporationSuwanee, Georgia

MED

INSD

6,700

A former employee was indicted on charges related to misuse of applicant and employee personal information. Employee names, Social Security numbers, dates of birth, telephone numbers, email addresses, addresses, I-9 alien registration numbers, and other personal information may have been exposed. The issue was discovered on April 3.

Information Source:
California Attorney General

records from this breach used in our total:
6,700

May 10, 2013

CoinbaseSan Francisco, California

BSR

DISC

Unknown

A flaw in Coinbase's systems cause the information of some merchants to be exposed. Any merchant who created a "buy now" button, donate button, or hosted a payment page using Coinbase's Merchant Tools and posted a public link to it online had the page publicly visible on the internet. The page contained the company name, website, phone number, email address, and mailing address. Additionally, anyone could search for public Coinbase merchant payment pages and collect the email addresses of merchants. At least one phishing attack targeted merchants with an email that appeared to come from Coinbase.

Information Source:
Media

records from this breach used in our total:
0

May 10, 2013

Equity Trust CompanyElyria, Ohio

BSF

HACK

Unknown

An unauthorized third party accessed Equity Trust Company's computer network. The breach was discovered at the end of January 2013 and notification letters were sent on April 15. Equity Trust customers may have had their names, Social Security numbers, addresses, and other information viewed by online intruders.

Information Source:
California Attorney General

records from this breach used in our total:
0

May 11, 2013

Regional Medical CenterMemphis, Tennessee

MED

DISC

1,200

Those with questions may call 1-855-716-3627 for more information.

Some patients who were treated at an outpatient facility between May 1 of 2012 and January 31 of 2013 had their information attached to emails that went out to an unspecified organization or organizations. Three emails that were not secure were sent on October 29 and November 1 of 2012 and February 4, 2013. Patient names, Social Security numbers, account numbers, dates of birth, home phone numbers, and reasons for outpatient physical therapy services may have been exposed.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
1,200

May 13, 2013

80sTees.comMount Pleasant, Pennsylvania

BSR

HACK

Unknown

Unauthorized activity was detected on the 80sTees.com website. Customers may have had their credit or debit card information exposed.

Up to 160,000 people may have had their information exposed by a breach. Anyone who was booked into a city or county jail int he state of Washington between September of 2011 and December of 2012 may have had their Social Security number exposed.

Additionally, three classes of people may have had their names and driver's license information exposed. First, people who received a DUI citation between 1989 and 2011 in the state of Washington may have had their names and drivers' license numbers exposed. Anyone who had a traffic case filed or resolved in a district or municipal court between 2011 and 2012 may have been affected. Finally, anyone who had a criminal case in Washington filed against them or resolved between 2011 and 2012 may have had their name and driver's license number exposed.

A hacker took advantage of a security flaw in Presbyterian Anesthesia Associates' website and gained access to a database of patient information. Names, credit card numbers, dates of birth, and contact information may have been exposed.

UPDATE (05/15/2013): E-dreamz was the organization that hackers breached. Patients from Pledmont Healthcare may have also been affected by E-dreamz's breach. Names, addresses, phone numbers, email addresses, and credit card numbers may have been exposed. Social Security numbers were not among the data that could have been exposed.

Information Source:
Media

records from this breach used in our total:
9,988

May 15, 2013

El Centro Regional Medical CenterEl Centro, California

MED

PHYS

189,489

El Centro Regional Medical Center is claiming that they were defrauded by an unnamed company. The company was responsible for digitizing El Centro Regional's x-rays, but never returned the digitized version. The process should have been completed by the end of July. The original x-rays were most likely taken and destroyed to extract silver.

UPDATE (05/18/2013): The information on the records was as recent as February 2011. El Centro Regional Medical Center learned of the issue on March 22, 2013. Patients were notified on May 13.

Information Source:
PHIPrivacy.net

records from this breach used in our total:
189,489

May 15, 2013

OptiNose US Inc.Yardley, Pennsylvania

MED

PORT

Unknown

An unencrypted laptop was stolen from an employee's car. It may have contained names, Social Security numbers, and personal information related to people who worked at OptiNose.

Information Source:
Media

records from this breach used in our total:
0

Breach Total

816,044,756 RECORDS BREACHED(Please see explanation about this total.)from 4,506 DATA BREACHES made public since 2005